API網關關鍵技術

{"type":"doc","content":[{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"一、客戶端信息自動獲取","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"用戶在網關平臺註冊賬號;用戶進行API工單購買申請,申請通過後,用戶可以進入API控制檯;用戶在API控制檯進行APP應用的創建,平臺爲每個APP分配唯一授權碼,用戶自動獲取APP授權碼(APPkey、APPsecret)。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"平臺認證授權中心API根據如下規則,生成對應的APPkey,APPsecret。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"APPkey:字母和數字隨機32位數字。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"APPsecret:通過MD5對APPkey進行加密,密鑰爲“htzz”,可以根據需要進行調整;","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"二、獲取調用令牌","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"通過網關平臺賬號、密碼和APP授權碼(APPkey、APPsecret)4個參數,通過平認證授權中心API換取access_token,用戶可以直接通過控制檯獲取。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"(一)令牌token獲取","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"詳細步驟如下:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"       1: 企業通過工單購買API資源。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"       2: 認證授權中心爲APP頒發客戶端認證信息。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"       3: 通過客戶端信息與調用者信息換取換取令牌token。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"       4: 通過認證授權生成隨機36位令牌token,同時把用戶信息和可調用API資源權限信息保存在tokenStore中,爲token調用準備認證基礎數據。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"       5: 令牌token返給調用者(API或者WEB)","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"(二)令牌token認證規則","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"認證規則詳細:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Ø  調用者,按照要求,攜帶參數1:appkey,參數2:token以及api參數 ,進行API調用。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Ø  在認證授權中心檢查token在tokenStore中是否存在,如果不存在,返回錯誤信息,調用結束。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Ø  token信息在tokenStore中存在,通過認證權限中心filter過濾器,對調用API資源進行權限判斷,如果無調用權限,返回錯誤信息,調用結束。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Ø  有調用權限,則通過Zuul動態路由網關進行轉發,調用真實API,並返回結果,調用結束。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"三、 shiro權限管理","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Apache Shiro 是 Java 的一個安全框架。目前,使用 Apache Shiro 的人越來越多,因爲它相 當簡單,對比 Spring Security,可能沒有 Spring Security 做的功能強大,但是在實際工作時可能並不需要那麼複雜的東西,所以使用小而簡單的 Shiro 就足夠了。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Shiro 可以非常容易的開發出足夠好的應用,其不僅可以用在 JavaSE 環境,也可以用在 JavaEE 環境。Shiro 可以幫助我們完成:認證、授權、加密、會話管理、與 Web 集成、緩存等。且 Shiro 的 API 也是非常簡單,其基本功能點如下圖所示","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/42/425dc99ff19ed628246eafbcf74fbb8c.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Authentication:身份認證/登錄,驗證用戶是不是擁有相應的身份;","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Authorization:授權,即權限驗證,驗證某個已認證的用戶是否擁有某個權限;即判斷用戶是否能做事情,常見的如:驗證某個用戶是否擁有某個角色。或者細粒度的驗證某個用戶對某個資源是否具有某個權限;","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Session Manager:會話管理,即用戶登錄後就是一次會話,在沒有退出之前,它的所有信息都在會話中;會話可以是普通 JavaSE 環境的,也可以是如 Web 環境的;","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Cryptography:加密,保護數據的安全性,如密碼加密存儲到數據庫,而不是明文存儲;","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Web Support:Web 支持,可以非常容易的集成到 Web 環境;","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Caching:緩存,比如用戶登錄後,其用戶信息、擁有的角色/權限不必每次去查,這樣可以提高效率。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Concurrency:shiro 支持多線程應用的併發驗證,即如在一個線程中開啓另一個線程,能把權限自動傳播過去;","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Testing:提供測試支持;","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Run As:允許一個用戶假裝爲另一個用戶(如果他們允許)的身份進行訪問;Remember Me:記住我,這個是非常常見的功能,即一次登錄後,下次再來的話不用登錄了。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Shiro 不會去維護用戶、維護權限;這些需要我們自己去設計/提供;然後通過 相應的接口注入給 Shiro 即可。","attrs":{}}]},{"type":"embedcomp","attrs":{"type":"table","data":{"content":"

表名

表描述

v2_api_user

API開發者用戶

v2_api_user_role

開發者和角色關係表,系統自動維護。

v2_api_role

API角色表,和企業工單綁定。

v2_api_role_perms

API角色和權限信息關係表,系統自動維護。

v2_api_perms

API權限表,和每一個API綁定。

"}}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"四、Zuul動態網關路由","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Zuul 是Netflix 提供的一個開源組件,致力於在雲平臺上提供動態路由,監控,彈性,安全等邊緣服務的框架。使用它來作爲網關的重要組成部分,集動態路由,動態權限,限流配額等功能爲一體,爲其他部門的項目提供統一的外網調用管理,最終形成API網關產品。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"color","attrs":{"color":"#4F4F4F","name":"user"}}],"text":"Zuul 架構圖:","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/2b/2bf8b4b62c505f3ec4c68bfb8d9e539b.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在zuul中, 整個請求的過程是這樣的,首先將請求給zuulservlet處理,zuulservlet中有一個zuulRunner對象,該對象中初始化了RequestContext:作爲存儲整個請求的一些數據,並被所有的zuulfilter共享。zuulRunner中還有 FilterProcessor,FilterProcessor作爲執行所有的zuulfilter的管理器。FilterProcessor從filterloader 中獲取zuulfilter,而zuulfilter是被filterFileManager所加載,並支持groovy熱加載,採用了輪詢的方式熱加載。有了這些filter之後,zuulservelet首先執行的Pre類型的過濾器,再執行route類型的過濾器,最後執行的是post 類型的過濾器,如果在執行這些過濾器有錯誤的時候則會執行error類型的過濾器。執行完這些過濾器,最終將請求的結果返回給客戶端。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Zuul默認路由經過路徑 ( ZuulController -> ZuulServlet (preRoute() route() postRoute())-> (ZuulFilter(SimpleHostRoutingFilter真正轉發請求)) )。如果要實現動態路由,需覆寫zuul默認實現的SimpleRouteLocator類的locateRoutes方法,路由信息從DB中獲取,並繼承實現自動的接口類RefreshableRouteLocator類的refresh方法。具體如下:","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/8a/8aee79899945cb9a868c9543d225d4c7.png","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"CustomRouteLocator(路由定位器類):","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"覆寫父類的locateRoutes方法,實現從DB動態獲取路由信息。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"覆寫refresh方法,實現刷新動態路由信息。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"CustomZuulConfig(路由配置類):   注入自定義的路由定位器。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}}]}
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章